/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.conf.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • mto: (237.7.304 trunk)
  • mto: This revision was merged to the branch mainline in revision 325.
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY CONFNAME "mandos.conf">
5
5
<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">
6
 
<!ENTITY TIMESTAMP "2009-01-04">
 
6
<!ENTITY TIMESTAMP "2013-10-23">
7
7
<!ENTITY % common SYSTEM "common.ent">
8
8
%common;
9
9
]>
20
20
        <firstname>Björn</firstname>
21
21
        <surname>Påhlsson</surname>
22
22
        <address>
23
 
          <email>belorn@fukt.bsnet.se</email>
 
23
          <email>belorn@recompile.se</email>
24
24
        </address>
25
25
      </author>
26
26
      <author>
27
27
        <firstname>Teddy</firstname>
28
28
        <surname>Hogeborn</surname>
29
29
        <address>
30
 
          <email>teddy@fukt.bsnet.se</email>
 
30
          <email>teddy@recompile.se</email>
31
31
        </address>
32
32
      </author>
33
33
    </authorgroup>
34
34
    <copyright>
35
35
      <year>2008</year>
36
36
      <year>2009</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
37
40
      <holder>Teddy Hogeborn</holder>
38
41
      <holder>Björn Påhlsson</holder>
39
42
    </copyright>
118
121
        <term><option>priority<literal> = </literal><replaceable
119
122
        >STRING</replaceable></option></term>
120
123
        <listitem>
121
 
          <xi:include href="mandos-options.xml" xpointer="priority"/>
 
124
          <xi:include href="mandos-options.xml"
 
125
                      xpointer="priority_compat"/>
122
126
        </listitem>
123
127
      </varlistentry>
124
128
      
142
146
        </listitem>
143
147
      </varlistentry>
144
148
      
 
149
      <varlistentry>
 
150
        <term><option>use_ipv6<literal> = </literal>{ <literal
 
151
          >1</literal> | <literal>yes</literal> | <literal
 
152
          >true</literal> | <literal>on</literal> | <literal
 
153
          >0</literal> | <literal>no</literal> | <literal
 
154
          >false</literal> | <literal>off</literal> }</option></term>
 
155
        <listitem>
 
156
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
 
157
        </listitem>
 
158
      </varlistentry>
 
159
      
 
160
      <varlistentry>
 
161
        <term><option>restore<literal> = </literal>{ <literal
 
162
          >1</literal> | <literal>yes</literal> | <literal
 
163
          >true</literal> | <literal>on</literal> | <literal
 
164
          >0</literal> | <literal>no</literal> | <literal
 
165
          >false</literal> | <literal>off</literal> }</option></term>
 
166
        <listitem>
 
167
          <xi:include href="mandos-options.xml" xpointer="restore"/>
 
168
        </listitem>
 
169
      </varlistentry>
 
170
      
 
171
      <varlistentry>
 
172
        <term><option>statedir<literal> = </literal><replaceable
 
173
        >DIRECTORY</replaceable></option></term>
 
174
        <listitem>
 
175
          <xi:include href="mandos-options.xml" xpointer="statedir"/>
 
176
        </listitem>
 
177
      </varlistentry>
 
178
      
 
179
      <varlistentry>
 
180
        <term><option>socket<literal> = </literal><replaceable
 
181
        >NUMBER</replaceable></option></term>
 
182
        <listitem>
 
183
          <xi:include href="mandos-options.xml" xpointer="socket"/>
 
184
        </listitem>
 
185
      </varlistentry>
 
186
      
145
187
    </variablelist>
146
188
  </refsect1>
147
189
  
179
221
[DEFAULT]
180
222
# A configuration example
181
223
interface = eth0
182
 
address = 2001:db8:f983:bd0b:30de:ae4a:71f2:f672
 
224
address = fe80::aede:48ff:fe71:f6f2
183
225
port = 1025
184
226
debug = true
185
227
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP
186
228
servicename = Daena
187
229
use_dbus = False
 
230
use_ipv6 = True
 
231
restore = True
 
232
statedir = /var/lib/mandos
188
233
      </programlisting>
189
234
    </informalexample>
190
235
  </refsect1>
192
237
  <refsect1 id="see_also">
193
238
    <title>SEE ALSO</title>
194
239
    <para>
 
240
      <citerefentry><refentrytitle>intro</refentrytitle>
 
241
      <manvolnum>8mandos</manvolnum></citerefentry>,
195
242
      <citerefentry><refentrytitle>gnutls_priority_init</refentrytitle
196
243
      ><manvolnum>3</manvolnum></citerefentry>,
197
244
      <citerefentry><refentrytitle>mandos</refentrytitle>
225
272
              <para>
226
273
                The clients use IPv6 link-local addresses, which are
227
274
                immediately usable since a link-local addresses is
228
 
                automatically assigned to a network interfaces when it
 
275
                automatically assigned to a network interface when it
229
276
                is brought up.
230
277
              </para>
231
278
            </listitem>